Is it safe to place password on same folder?

Question

I am using php and mysql. I have a Database config file (db-config.php) which has my database name, username and password. My application and db config file store at: www(httpdocs)/app/db-config.php

Is that secure? Will others/hackers able to steal my file and get my database login information?

Or should i put it outside www folder, for example: db-config.php stores in www(httpdocs) same level folder. So in 1 of my app, I just do this:

include_once('../../db-config.php');

Will it works? I mean jump 2 level up to root/www/httpdocs folder??

Do you have any more secure way to store database password??

Answer 1

Yes, you can put the file in same or other directory

Make a configuration file, where you can keep all settings in a file.. and you can keep it any where you want. All you need to is call whenever you need it.

To that configuration file, make file permission unaccessible by public.

1. Make config.ini file

[local]
db_host = localhost
db_user = your_local_database_username
db_pass = **********
db_name = your_local_database_name


[server]
db_host = serverhost
db_user = your_local_database_username
db_pass = **********
db_name = your_server_database_name

2. Move and give permission to config.ini file

3. Create your php or connection page conn.php

<?php
$config_file_location_path = "/var/somelocation/config.ini"

$read_file = parse_ini_file($config_file_location_path, true);
$read_data = $read_file['local'];

$db_config = $read_data;

$db_host = $db_config['db_host'];
$db_user = $db_config['db_user'];
$db_pass = $db_config['db_pass'];
$db_name = $db_config['db_name'];


$conn = mysqli_connect($db_host, $db_user, $db_pass, $db_name);

if (!$conn) {
    die("Could not connect to server : " . mysqli_errno($conn));
}

And if you want to work on server just change $read_data = $read_file['server'];

Answer 2

If you have enough control over the web server, I recommend adding a directory to PHP's include_path directive. Then, you can say something like:

in PHP.ini

include_path=/home/xxxx/php_includes:blah.blah.blah

in /home/xxx/php_includes:

create a directory named "config"
create a file named "config/database_config.php"

In you PHP files:

include_once("config/database_config.php")

Easy to include, and safely outside the web root.

EDIT:

You can do this at runtime with the set_include_path command. Also, if you are using Apache, I think you can set this for a directory by placing php_admin_value directives in a .htaccess file (see php documentation)

Answer 3

Placing the include file at a higher level will work. I put them in /var/www and use

set_include_path(get_include_path() . PATH_SEPARATOR .'/var/www/');

require_once 'mysqli_connect.inc.php';

The passwords are in mysqli_connect.inc.php but users can't see the source code of PHP files, because PHP turns them into HTML before sending them to your browser.

Presumably you're not allowing browsers to see the contents of folders — No 'directoryindexes' as Apache calls them.

Answer 4

Nobody can see the source code of your .PHP files, the password is safe anywhere you place it, specially if you keep it inside your website folder (which you have full control), sinse you don't put it in the public_ftp folder...

Maybe you can place it one level above the public_html folder, just in the [extreme] case somebody screw up the httpd.conf and the PHP stop working so sources will be revealed.

Answer 5

Hopefully the password isn't printed to screen, but it is still best practice to have it in directory not directly accessible through the web, yes. It's also a good idea for your web app to use a login with the minimum necessary permissions.

I run my web apps in a chroot jail, which means that I end up connecting over a local TCP connection instead of through a socket (e.g. I use '127.0.0.1' instead of "localhost") since the unix socket can't be seen from inside the jail.

Answer 6

A lot of publicly downloaded PHP software usually have the config file with DB passwords in a directory under the www root folder and as long as your server is configured correctly, it should be OK.

The better thing to do for any sensitive information like a config file with passwords however is to store it outside the document root (one folder up is the standard practice) and is what I would recommend.

You can also pre-encrypt the password before you save it in your config file and then have your software decrypt it before using it (but this would only keep your password being stored in the clear -- a hacker who has access to the sourcecode of your files would be able to decrypt the stored password quite easily).